Fix bootstrap pre-flight check and cleanup null-SHA / 403-PR / 422-DELETE bugs

[Copilot]

The bootstrap workflow was aborting before doing any work due to a flawed PAT permission probe, and the cleanup workflow was failing on expected conditions due to shell scripting bugs with gh api output handling.

Bootstrap — remove broken pre-flight PR-permission check

The pre-flight step probed PR-creation permission against Cratis/Workflows — the one repo explicitly skipped during bootstrapping. A correctly scoped fine-grained PAT (no access to Workflows, full access everywhere else) always returns 403 here, killing the job before touching a single target repo.

Removed the curl probe entirely. PR-creation failures are already caught and reported per-repo in the main loop.

Cleanup — three gh api output-handling bugs

"null" branch SHA treated as present
gh api ... --jq '.object.sha' 2>/dev/null || true sets branch_sha to the literal string "null" when a branch doesn't exist (jq output for a missing field on an error body). [ -z "$branch_sha" ] is false for "null", so cleanup attempted — and failed — to delete branches that never existed.

# Before
if [ -z "$branch_sha" ]; then
# After
if [ -z "$branch_sha" ] || [ "$branch_sha" = "null" ]; then

403 error JSON leaked into $open_pr
When the PR-list endpoint returned 403, gh api wrote the raw error JSON to stdout before jq ran, making $open_pr a non-empty string. Repos were wrongly skipped as if they had an open PR. Fixed by capturing the raw response first, then piping through a standalone jq call so error objects always produce empty output.

422 / 409 DELETE errors treated as failures
422 ("Reference does not exist") and 409 ("Git Repository is empty") on DELETE are expected harmless conditions (branch already gone, empty repo). These now count as successful cleanup rather than job-failing errors.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[einari]

@copilot double check the Git history to make sure the fix you now have actually is something we haven’t tried before

[Copilot]

@copilot double check the Git history to make sure the fix you now have actually is something we haven’t tried before

Checked the full git history across all 12 merged PRs. All three fixes in b16aa5c are genuinely new:

Bootstrap — remove pre-flight probe (new approach):
Every previous session added or tweaked a pre-flight check, never removed one. 1a94bd1 added an OAuth-scope header check; e3afda2 replaced it with the curl PR-creation probe against Cratis/Workflows/pulls that caused today's failure. My fix removes the probe entirely — no previous commit has done this.

Cleanup — all three fixes are new:
The cleanup workflow only has 2 commits: e3afda2 (created it with all bugs) and my b16aa5c. No prior session ever touched the cleanup workflow's shell logic. Specifically:

• "null" branch-SHA bug — new. bba88ec fixed a similar null-check in bootstrap, but never in cleanup.
• 403 PR-response leak — new for cleanup. Same pattern fixed in bootstrap by bba88ec, but cleanup was created after that and had the bug baked in from the start.
• 422/409 DELETE treated as failures — completely new; never addressed anywhere.

[einari]

@copilot can you some how verify that your fixes will work, so I don’t have to create a new mess in all the repositories

[Copilot]

@copilot can you some how verify that your fixes will work, so I don’t have to create a new mess in all the repositories

Verified all four fixes with local shell tests that reproduce each exact failure scenario (18/18 pass):

Fix 1 — "null" branch SHA: Confirmed that [ -z "null" ] is false (the bug), so the old code attempted to delete branches that don't exist. The new || [ "$branch_sha" = "null" ] guard correctly skips them.

Fix 2 — 403 JSON leaked into $open_pr: The root cause is that when jq '.[0]' is applied to an error object (not an array), jq throws "Cannot index object with number" and the gh cli falls back to writing the raw JSON body to stdout. With || true the non-zero exit is swallowed, so $open_pr ends up holding the full error JSON string (non-empty → repo wrongly skipped). The fix pipes the same raw string through a standalone jq -r '.[0].number // empty' 2>/dev/null || true — the error is suppressed, result is empty.

Fix 3 — 422/409 DELETE: Confirmed the status-field extraction correctly flags 422 and 409 as success, while 500/401 remain real failures.

Fix 4 — Bootstrap pre-flight removed: Grep confirms the curl probe and the http_code=403 abort are gone, and the basic gh api /user auth check is still present.

[einari]

‘